A letter arrived from my bank this week. Normally that’s nothing special – bank letters don’t make for the most exciting reading. This one, though, was something special. It spoke of daily limits, security concerns, and a new debit ard I would soon receive. My old card would no longer work, it explained, and I would need to make sure any automatic payments I had set up were updated. Why? The answer’s simple: The Target data breach.
The most recent reports suggest that as many as 110 million accounts may have been affected.
Like millions of others, I used my card to buy items from Target over the holiday season. Like millions of others, my card information – including the security code and expiration date – have now been stolen. I’m lucky enough not to have been targeted by the thieves, and the bank’s response should now ensure that my information is once more my own. Others haven’t been so lucky, and one question remains unanswered: How did this happen?
The most recent reports suggest that as many as 110 million accounts may have been affected. Hackers, it seems, were able to access card readers at Target stores throughout the United States, collecting card security codes, account numbers, and other data. The company is now offering a year of free credit monitoring to customers, while also facing questions from the U.S. Senate. Reuters reported on Monday that Democrats in the House have called for a congressional inquiry into the security lapse.
There’s a lot of soul searching going on at the moment. Headlines such as “Has Wall Street missed the mark on Target?” and “JPMorgan CEO: Target breach is a wake-up call” reveal the wider concern and implications of this breach. Can consumers feel safe when using the debit and credit cards at large retail stores? What protections can banks offer?
Some, meanwhile, have suggested that Target may have been warned about the threat to its system up to seven years ago.
A newly proposed class action lawsuit alleges that Target Corp. received – and ignored – warnings about weaknesses in its system. Filed in California federal court this week, the suit alleges that Target was negligent and violated fair business practice laws after a security expert highlighted flaws in its point-of-sale (POS) system in a 2007 white paper. The store is also accused of misleading customers over the security breach by failing to reveal the true extent of the problem. Target’s initial report, released on December 29, 2013, claimed that up to 40 million credit and debit card details had been stolen. The company has now amended that figure to 70 million. Others have claimed the true number of cards affected remains much higher. It also looks like customer’s PINs have been compromised – something Target initially denied.
The lawsuit claims that, in 2007, cybersecurity expert Neal Krawetz a published a white paper detailing POS vulnerabilities, using Target as an example on how thieves might exploit system weaknesses. A Target employee allegedly acknowledged receipt of the white paper at the time and even offered to share it with other retailers.
Now, it looks like no further action was taken.
The suit is seeking to represent a nationwide class of consumers who had their information compromised after using a credit or debit card in a Target store.
It remains to be seen how the suit will go, but with Target Corp. still in damage control mode and a lot of questions unanswered, you can be sure this isn’t the last we’ve heard of this. Earlier this week the chairman of the Senate Judiciary Committee, Patrick Leahy, argued once more for a bill that would impose new security network rules on businesses. Sen. Leaky has previously pushed for a reform of criminal laws under the Computer Fraud and Abuse Act, introducing a Personal Data Privacy and Security Act to four Congresses in a row, to no avail. With so many people still worried about their personal information being stolen, the time may have come for the government to act.